Decidim - Verification admins can access supplied IDs from other organizations
Published: July 13, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-45330 (NVD)
- GHSA: GHSA-86fh-w43w-338c
GEM
SEVERITY
CVSS v3.x: 4.9 (Medium)
PATCHED VERSIONS
~> 0.30.9
~> 0.31.5
>= 0.32.0
DESCRIPTION
Description
The verification admin mutation flow allows accessing, verifying, and rejecting participants records from another tenant.
Impact
A tenant admin can access, reject or approve another tenant's
id_documents requests.
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
RELATED
- https://rubygems.org/gems/decidim-verifications/versions/0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.31.5
- https://github.com/decidim/decidim/releases/tag/v0.30.9
- https://github.com/decidim/decidim/pull/16666
- https://advisories.gitlab.com/gem/decidim-verifications/CVE-2026-45330
- https://github.com/decidim/decidim/security/advisories/GHSA-86fh-w43w-338c
- https://github.com/advisories/GHSA-86fh-w43w-338c
